Manoj Karanth

10/24/2016

See where digital is going next. Sign up for our newsletter.

Considerations before migrating to a public cloud environment

Enterprises continue to show interest in public cloud migration. The largest public cloud players, Amazon Web Services and Microsoft, have recorded growth of 58% and 100% over the past year, respectively. Mindtree has witnessed this trend firsthand as more customers look to us for public cloud migration. Here we share some insights we’ve gained along the way.

Foundational steps

Before deploying applications to a public cloud infrastructure, companies should take several factors into consideration:

Identity: Placement of the identity store determines the future of any cloud strategy. Enterprise applications are dependent on corporate identity and end user systems are dependent on customer identity. One of our clients, a museum, decided to use Salesforce to better serve its donors and ticket buyers. A CRM strategy resulted in a single customer identity repository on Salesforce. Now all new systems, from audio guide applications to e-commerce for tickets and artifacts, are built on the Salesforce ecosystem.

For enterprise applications, corporate identity must extend to the cloud for a seamless experience. That’s one of the reasons why Microsoft gives you a Microsoft Azure Active Directory account in the cloud the minute you become an Office 365 user. This account functions as the gateway and foundation for all applications in the cloud.

Connectivity: Enterprises often have complicated infrastructures made up of on-premises systems, custom applications hosted on the cloud and SaaS-based applications. A cloud-based leave system could be connected to an on-premises SAP system, while the employee-performance management system runs on a SaaS application. Companies must make sure that corporate identity supports single sign on and authorization along with data integration. For example, Ping Identity and Azure Active Directory securely integrate external SaaS systems.

Companies must consider the security of connections across the infrastructure for system integration or data transfer needs. The most common options are a virtual private network (VPN) endpoint or direct-line connectivity with the cloud provider. The amount of data transfer and latency will guide this choice.

Manageability: How do we isolate areas in a public cloud environment to ensure segregation between development, staging and
production environments? This can be achieved through separate cloud accounts, private networks within an account or subnets within a network. Though maximum isolation may be ideal, the choices are constrained by some of the following realities.

Cloud providers offer a tiered support SLA at the developer, business and enterprise levels, while others determine the service support tier depending on the account. So if you want cloud isolation by account, it would be cost-prohibitive for the cloud buyer to offer the same level of support for all accounts.

Monitoring agents and collectors used for cloud management and monitoring require isolation from the other systems while still retaining access to them. Duplicating this access per account or VPN can be superfluous. A leading university opted for a separate VPN to house management and monitoring. The VPN connects to development, stage and production environments through peering connections to allow the university to have a single account and SLA, but still achieve isolation and control for management.

Common pitfalls to avoid

Keep the CIDR block in mind while designing the network. Once assigned, this block cannot be changed. Taking future growth into account will help you allocate this block correctly.

Follow the request flow when architecting the network. A typical request passes through a router, firewall, IPS and load balancer before it reaches the actual DMZ. In an on-premises data center, the rules and policies proliferate across these layers over time. This activity leads to some performance improvements. With one of our clients, we found that the F5 load balancer had more than 40,000 lines of rules—many of which were vestiges of time, only adding to request delays. Rationalization of this alone resulted in faster response times.

Almost any security feature requires an exchange of keys. Be sure to plan the storage and access of these keys as one of the building governing blocks.

These insights should provide some initial direction for companies considering a migration to a public cloud environment. Learn more about how Mindtree can help your company take the next step.